Two Windows bloggers have produced proof-of-concept code for circumventing the User Account Control feature in the Windows 7 beta. But even after Microsoft reportedly fixed a privilege escalation security issue in internal beta builds, there is debate as to whether or not the UAC feature is vulnerable by default.
Microsoft says it has addressed a security issue affecting the User
Account Control feature
in the Windows 7 beta
that researchers contended
leaves users vulnerable.
fixed a privilege escalation issue
in internal beta builds of Windows 7 that was raised by researchers, the company said. Still, Microsoft officials
take issue with claims that UAC's default setting can be classified as a
The issue relating to UAC was publicized by Windows bloggers Rafael Rivera
and Long Zheng. During the week of Feb. 2, Zheng and Rivera have
posted proof-of-concept code that circumvents UAC in the Windows 7 beta
and allows hackers to use preapproved Microsoft applications to fool Windows 7
into granting malicious code full access rights.
The core of the issue is that by default, Windows 7's UAC is set to
"Notify me only when programs try to make changes to my computer" and
"Don't notify me when I make changes to Windows settings." According
to the researchers, Windows 7 uses a special Microsoft Windows 7 certificate to
distinguish between third-party programs and applications or applets that
manage Windows settings.
Click here to read Security Center Editor Larry Seltzer's view on the User Account Control issue.
Because some Microsoft-signed applications can also execute third-party
code, and there is an inherent trust for everything Microsoft-signed, the chain
of trust inadvertently flows onto other third-party code as well, Zheng
explained. As a result, it is possible for hackers to use that trust to change
the UAC settings without the user ever knowing, the researchers said.
"This public disclosure comes after a private disclosure to Microsoft
and Windows 7 beta testers earlier this week," Zheng wrote on his blog
Feb. 4. "If and until a patch is available, I feel obliged to outline the
elevated risk to the millions of Windows 7 beta user running Windows 7 beta in
its default UAC policy of 'Notify me of changes by program, not of Windows
changes,' which does not adequately enforce the privilege system, arguably an
essential factor to a safe operating system."
however, contended that UAC works as it's supposed to.
"The first issue to untangle is about the difference between malware
making it onto a PC and being run, versus what it can do once it is
running," blogged Jon DeVaan, senior vice president of Microsoft's Windows
Core Operating System Division. "There has been no report of a way for
malware to make it onto a PC without consent. All of the feedback so far
concerns the behavior of UAC once malware has found its way onto the PC and is
running. Microsoft's position that the reports about UAC do not constitute a
vulnerability is because the reports have not shown a way for malware to get
onto the machine in the first place without express consent."
According to DeVaan, Microsoft has added two options to UAC that were not
available in Windows Vista-"Notify me only when programs try to make
changes to my computer (without desktop dimming)" and "Notify me only
when programs try to make changes to my computer (with desktop dimming)."
Windows Vista only allows for "Always Notify" and "Never
The idea was to give users more choice, and to keep the prompts from
becoming annoying. Though a Microsoft spokesperson offered no timeline for when
the fix in the internal beta builds would make its way to the public, the
spokesperson said the fix will be in the upcoming release candidate.
In the meantime, users of the current beta can
change their UAC settings to higher levels as a solution.